Do not trust users
You should consider every user a hacker. Trust no one. Because you dont know what enters your website. May it be spam bot, may it be a hacker or normal user you should take security seriously unless you want your website to be a mess with hackers having fun of it. What should you do to protect yourself ?
First of all write down every port of your website from where you expect users to enter an input. For example user registration form, user login form, comments form, replies form, private messages form, and do not forget the URL bar. You write a point on every port that you think your website will accept an input from outside. These points will be places where you will filter the out coming inputs and then process them to your database. But how SQL Injection works ?
If we think globally on Computer Science or programming there are two types of strings or texts. One is the text that it is to be displayed as an information to the computers screen, and the other one is the programming statement or command that would make this information appear to the screen. Lets see an example on how a website tests users input data and logs them in.
You have a form on html where you ask a user for its username and password. After they fill in the required fields you take those inputs and process them with php or other server scripting language. And by processing you are searching your database for a user that matches these inputs (username and password).
" SELECT * FROM Users WHERE username='$username' AND password='$password' "where variables $username and $password hold data that came from your html login form. And as we said earlier there are two types of strings when programming. One is for processing data's and other is the actual string we want to process. In this case the SQL command is the string that will search users from the table User that match the data's given in the variables $username and $password where data's on these variables are taken from an html input form. But with SQL Injection hackers can manage to transform this normal text that is not supposed to be a command into SQL commands like the one above. This means that the text that sits inside variables $username and $password can be transformed into commands. And hackers would write every command that can harm our database or force it to display private data. How it is done ?
If they put on your html form input data like this :
username : 'admin (with a quote )
password : 'admin (with quote )
Lets see how will be processed in the SQL statement above.
" SELECT * FROM Users WHERE username=''admin' AND password=''admin' "Notice the quote inside outer quotes in username and password : ' 'admin'
The input data that came from outside are supposed to be inside quotes but what a hacker does is he escapes these quotes and goes outside them by butting a quote before input. And since the normal text is wrapped inside quotes when a hacker escapes these quotes he enters the command area where he can write everything he wants. Now the sql statement above expects that the input data's are in the first double quotes before the real input eg ' this what i think is input ' admin' . Poor SQL is fooled very easy. And a hacker could write this
" SELECT * FROM Users WHERE username=''1 or 1 = 1 ' AND password='' 1 or 1 = 1' "This statement will test if username is equal to 1 and if fails will test if 1 = 1. And since 1 is always equat to 1 this command will be processed and a hacker can manage to login inside your admin area.
Lucky for us there are functions that filter everything that comes from outside as an input and makes sure hackers do not ever escape the quotes and enter the command area.
In php you can use a single function to filter these quotes ( ' ) and process them as a part of the actual input and preventing the escape from the area where normal text is supposed to be. And that function is
mysql_real_escape_string($username);Another approach and modern one is to use Prepared Statements (PDO). Many developers say that PDO is the best way to protect against SQL Injection attacks.
However we are not done yet. Not so easy eh. There are ways a hacker can still process its bad input even if we filtered everything.
Do not trust your own DatabaseAs we said PDO can manage to register the input as it is eg as it come from outside. But what if this type of input is registered in a field of our table : 'John and later on other queries we take this input and do some other processing ? Then again SQL Injection can happen. And this means that even if we manage to successfully register data on our database without being hacked we should still not trust our own database, because there can sit bad data that can harm us. So to avoid this we should also filter data's that are already registered in our database.
To successfully protect your website from this type of attack you should have this considerations in mind.
Filter everything that comes from an html input form. Whether it is login register commend subscribe contact or whatever form.
Filter everything that comes from our database itself, because inside our fields there still can be data's that can be processed the way we do not expect and can harm us.
Filter everything that comes from the URL bar with $_GET and $_POST methods. The url bar is also invited in the SQL Injection party and is one of the important guests.
Security of your website is important because you do not want to be hacked from someone who thinks he can put you down, or he thinks he is clever or whatever.